CN110990804B - Resource access method, device and equipment - Google Patents

Resource access method, device and equipment Download PDF

Info

Publication number
CN110990804B
CN110990804B CN202010140438.5A CN202010140438A CN110990804B CN 110990804 B CN110990804 B CN 110990804B CN 202010140438 A CN202010140438 A CN 202010140438A CN 110990804 B CN110990804 B CN 110990804B
Authority
CN
China
Prior art keywords
information
verifiable
statement
digital identity
identity information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010140438.5A
Other languages
Chinese (zh)
Other versions
CN110990804A (en
Inventor
林渝淇
陈远
杨仁慧
刘佳伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ant Blockchain Technology Shanghai Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202010752958.1A priority Critical patent/CN111680274B/en
Priority to CN202010140438.5A priority patent/CN110990804B/en
Publication of CN110990804A publication Critical patent/CN110990804A/en
Application granted granted Critical
Publication of CN110990804B publication Critical patent/CN110990804B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the specification provides a resource access method, a resource access device and resource access equipment, wherein the method comprises the following steps: receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting the access authority of the resource to be granted to the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted; generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information, and storing first record information of the verifiable statement into a block chain; the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized; alternatively, the verifiable assertion is sent to a verifiable assertion hosting platform of the user to be authorized, such that the hosting platform agent saves the verifiable assertion for the user to be authorized.

Description

Resource access method, device and equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for accessing resources.
Background
With the popularization of paperless office work, documents, tables, pictures and the like in various electronic forms become main office resources of users. For some important resources, a user usually performs privacy setting, and only the user can access the resources subjected to privacy setting, and other users have no right to access the resources. However, in real life, there are some service scenarios where a user wants a user specified by the user to have access to a resource, and other users except the specified user do not have access to the resource.
Disclosure of Invention
One or more embodiments of the present disclosure provide a resource access method, device and apparatus, so as to solve the problem that coarse-grained resource access authorization cannot meet user requirements.
To solve the above technical problem, one or more embodiments of the present specification are implemented as follows:
one or more embodiments of the present specification provide a resource access method. The method includes receiving an authorization request sent by a first terminal device of a holding user of a resource. And the authorization request is used for requesting the authorization of the access right of the resource for the user to be authorized. The authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted. And generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information. Saving the first record information of the verifiable assertion to a blockchain. And sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized. Or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
One or more embodiments of the present specification provide a resource access apparatus. The device comprises a receiving module, which receives an authorization request sent by a first terminal device of a holding user of the resource. And the authorization request is used for requesting the authorization of the access right of the resource for the user to be authorized. The authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted. The apparatus also includes a first generation module that generates a verifiable claim based on the first digital identity information, the second digital identity information, and the access rights information. The apparatus also includes a save module that saves first record information of the verifiable claims into a blockchain. The apparatus further includes a sending module that sends the verifiable statement to the first terminal device, so that the first terminal device sends the verifiable statement to a second terminal device of the user to be authorized. Or the sending module sends the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
One or more embodiments of the present specification provide a resource access device. The apparatus includes a processor. The apparatus also comprises a memory arranged to store computer executable instructions. The computer-executable instructions, when executed, receive an authorization request sent by a first terminal device of a owning user of a resource. And the authorization request is used for requesting the authorization of the access right of the resource for the user to be authorized. The authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted. And generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information. Saving the first record information of the verifiable assertion to a blockchain. And sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized. Or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
One or more embodiments of the present specification provide a storage medium. The storage medium is used to store computer-executable instructions. The computer-executable instructions, when executed, receive an authorization request sent by a first terminal device of a owning user of a resource. And the authorization request is used for requesting the authorization of the access right of the resource for the user to be authorized. The authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted. And generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information. Saving the first record information of the verifiable assertion to a blockchain. And sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized. Or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
In one embodiment of the present description, fine-grained resource access authorization to a part of users is realized, and a service development requirement can be better satisfied; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
Drawings
In order to more clearly illustrate one or more embodiments or prior art solutions of the present specification, the drawings that are needed in the description of the embodiments or prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and that other drawings can be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a first schematic view of a resource access method according to one or more embodiments of the present disclosure;
fig. 2 is a schematic diagram of a second scenario of a resource access method according to one or more embodiments of the present disclosure;
fig. 3 is a schematic diagram illustrating a third scenario of a resource access method according to one or more embodiments of the present specification;
fig. 4 is a schematic diagram of a fourth scenario of a resource access method according to one or more embodiments of the present specification;
fig. 5 is a first flowchart of a resource access method according to one or more embodiments of the present disclosure;
fig. 6 is a second flowchart of a resource access method according to one or more embodiments of the present disclosure;
FIG. 7 is a third flowchart illustrating a method for accessing a resource according to one or more embodiments of the present disclosure;
FIG. 8 is a fourth flowchart illustrating a resource access method according to one or more embodiments of the present disclosure;
fig. 9 is a fifth flowchart of a resource access method according to one or more embodiments of the present disclosure;
fig. 10 is a sixth flowchart of a resource access method according to one or more embodiments of the present disclosure;
fig. 11 is a seventh flowchart of a resource access method according to one or more embodiments of the present disclosure;
fig. 12 is an eighth flowchart of a resource access method according to one or more embodiments of the present disclosure;
FIG. 13 is a first flowchart of a privilege change process provided in one or more embodiments of the specification;
FIG. 14 is a second flowchart of a privilege change process provided in one or more embodiments of the specification;
fig. 15 is a schematic block diagram of a resource access device according to one or more embodiments of the present disclosure;
fig. 16 is a schematic structural diagram of a resource access device according to one or more embodiments of the present specification.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all embodiments. All other embodiments that can be derived by a person skilled in the art from one or more of the embodiments described herein without making any inventive step shall fall within the scope of protection of this document.
Fig. 1 is a schematic view of an application scenario of a resource access method according to one or more embodiments of the present specification, as shown in fig. 1, the scenario includes: the method comprises the steps that a first terminal device, an authority control node and a block chain of a user holding resources are obtained; the first terminal device may be a mobile phone, a tablet computer, a desktop computer, a portable notebook computer, or the like (only the mobile phone is shown in fig. 1); and the first terminal equipment is in communication connection with the authority control node through a wireless network.
Specifically, a user holding the resource applies for first digital identity information from a designated organization for the resource held by the user in advance, so as to identify the resource through the first digital identity information. When a first terminal device of a user holding the resource receives an access authorization request sent by a second terminal device of a user to be authorized, or after the user holding the resource negotiates an access authorization event with the user to be authorized, the user holding the resource operates the first terminal device, and edits first digital identity information of the resource, second digital identity information of the user to be authorized, access authority information to be granted and the like; and the first terminal equipment responds to the authorization operation of the holding user of the resource and sends an authorization request to the authority control node. The authority control node generates a Verifiable statement (English full name: veriable classes; VC for short) according to the first digital identity information, the second digital identity information, the access authority information and the like included in the authorization request; storing the first record information of the verifiable statement into a block chain, and sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized; alternatively, as shown in fig. 2, the scenario may further include a verifiable assertion hosting platform (hereinafter, referred to as a hosting platform) of the user to be authorized, and the permission control node sends the verifiable assertion to the hosting platform, so that the hosting platform proxies the user to be authorized to save the verifiable assertion. The digital identity information is, for example, DID (fully-English: Decentralized identities; Chinese: Decentralized identities or distributed identities).
Further, in one or more embodiments of the present specification, the authority control node may be a first blockchain node in a blockchain, and an application scenario diagram of the resource access method based on fig. 1 is shown in fig. 3; it should be noted that, on the basis of fig. 2, the authority control node may also be a first blockchain node in a blockchain.
Further, in one or more embodiments of the present specification, the authority control node may also be an authority control platform that controls access authority of a resource, and correspondingly, as shown in fig. 4, in an application scenario of the resource access method based on fig. 1, the authority control platform may further include at least one block link node (only one is shown in fig. 4) that accesses a block link, where the authority control platform is in communication connection with the block link node through a wireless network, and stores the first record information of the verifiable statement into the block link through the block link node; it should be noted that, on the basis of fig. 2, the authority control node may also be an authority control platform.
Generating a verifiable statement according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access authority information to be granted and the like so as to grant the access authority to the resource to the user to be authorized, so that the user to be authorized can access the corresponding resource based on the verifiable statement; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
Based on the application scenario architecture, one or more embodiments of the present specification provide a resource access. Fig. 5 is a flowchart illustrating a resource access method according to one or more embodiments of the present specification, where the method in fig. 5 can be executed by the right control node in fig. 1, as shown in fig. 5, and the method includes the following steps:
step S102, receiving an authorization request sent by a first terminal device of a user holding resources; the authorization request is used for requesting the access authority of the resource to be granted to the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
the resource includes documents, pictures, tables, folders and the like, and the access right information to be granted includes information of read right, write right, modification right and the like of the resource.
Step S104, generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information, and storing first record information of the verifiable statement into a block chain;
wherein a proof stating that a holding user of a resource grants a resource access right for a user to be authorized can be verified.
It should be noted that, when the authority control node is the aforementioned authority control platform, correspondingly, the step S104 stores the first record information of the verifiable assertion into the blockchain, including: and the authority control platform sends first record information capable of verifying the statement to the blockchain node so that the blockchain node stores the first record information into the blockchain.
Step S106, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized; alternatively, the verifiable assertion is sent to a verifiable assertion hosting platform of the user to be authorized, such that the hosting platform agent saves the verifiable assertion for the user to be authorized.
In one or more embodiments of the present specification, a verifiable statement is generated according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the access right to the resource to the user to be authorized, so that the user to be authorized can access the corresponding resource based on the verifiable statement; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
In order to ensure that the granted access rights are valid, in one or more embodiments of the present specification, the information of the access rights to be granted is verified before generating the verifiable statement; specifically, as shown in fig. 6, step S104 includes:
and step S104-2, if the access authority information is determined to meet the preset authorization condition, generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information, and storing the first record information of the verifiable statement into a block chain.
Specifically, the authorization request further includes first signature data, where the first signature data is obtained by signing the first specified information with a private key corresponding to the first digital identity information; the first specific information may be set in an actual application as needed, for example, the first specific information includes one or more of first digital identity information, second digital identity information, and access right information. Correspondingly, the step S104-2 of determining that the access right information satisfies the preset authorization condition includes:
if the first signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information is determined not to simultaneously comprise the first preset authority information and the second preset authority information, determining that the access authority information meets the preset authorization condition; and the authority corresponding to the first preset authority information and the authority corresponding to the second preset authority information are mutually exclusive authorities. For example, the first permission information is all, which represents that the user to be authorized grants all access permissions to the resource, and the second preset permission information is none, which represents that the user to be authorized does not grant any permission. It should be noted that when the to-be-granted access right information includes the first preset right information all or includes the second preset right information none, the other right information may be ignored, and if the to-be-granted access right information includes write (write right) and all, it is determined that the to-be-granted user grants all access rights to the resource.
Further, obtaining the public key corresponding to the first digital identity information may include: inquiring a corresponding document (did doc) from the block chain according to the first digital identity information, and acquiring a public key from the inquired document; or sending a public key acquisition request to a specified security mechanism according to the first digital identity information, so that the security mechanism acquires a corresponding public key from the corresponding relation between the stored digital identity information and the public key according to the first digital identity information, and sends the acquired public key to the authority control node; and the authority control node receives the public key sent by the security mechanism.
Further, if the access right information is determined not to meet the preset authorization condition, authorization failure information is sent to the first terminal device.
By verifying the information of the access right to be granted, the validity of the granted access right is ensured, and the problems that the access right cannot be defined and the like caused by granting the mutually exclusive access right are avoided.
In one or more embodiments of the present disclosure, as shown in fig. 7, step S102 may further include, in order to grant permissions to multiple users to be authorized, and to distinguish the access permissions granted to the users to be authorized, and to conveniently query corresponding first record information from a block chain when performing subsequent access permission verification:
step S103-2, generating a declaration identification of a verifiable declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm;
the first preset algorithm may be set in practical application as needed, for example, the first preset algorithm is a sha256 algorithm, and correspondingly, step S103-2 may include: and splicing the first digital identity information and the second digital identity information to obtain a spliced character string, calculating the obtained spliced character string by adopting a sha256 algorithm, and determining a calculation result as a declaration identification.
And step S103-4, storing the declaration identification in a designated database.
The specified database comprises the statement identification of each verifiable statement in a valid state, so that when access authority information is verified, whether the corresponding verifiable statement exists or not can be quickly determined based on the statement identification contained in the specified database without accessing a block chain.
Corresponding to step S103-2 and step S103-4, as shown in fig. 7, step S104 includes:
step S104-4, second signature data is obtained, wherein the second signature data is obtained by adopting a private key corresponding to the first digital identity information to sign second specified information;
optionally, the second specifying information is the same as the first specifying information, that is, the second signature data is the first signature data, and accordingly, the obtaining the second signature data includes: first signature data is acquired from the authorization request, and the acquired first signature data is determined as second signature data. Or the second specified information is different from the first specified information, and the private key corresponding to the first digital identity information is kept by the holder of the resource, namely is stored in the first terminal device; accordingly, obtaining the second signature data includes: the authority control node sends a signature request to the first terminal equipment according to the first digital identity information, so that the first terminal equipment signs the second specified information by adopting a private key corresponding to the stored first digital identity information to obtain second signature data, and sends the second signature data to the authority control node; and the authority control node receives the second signature data sent by the first terminal equipment. Or the second specified information is different from the first specified information, and the private key corresponding to the first digital identity information is stored in the key escrow mechanism; accordingly, obtaining the second signature data includes: the authority control node sends a signature request to fourth terminal equipment of a user of the key escrow mechanism according to the first digital identity information, so that the fourth terminal equipment signs second specified information by adopting a private key corresponding to the stored first digital identity information to obtain second signature data, and sends the second signature data to the authority control node; and the authority control node receives the second signature data sent by the fourth terminal equipment.
Step S104-6, generating a verifiable statement according to the statement identifier, the second signature data, the first digital identity information, the second digital identity information and the access authority information;
step S104-8, calculating a hash value of the verifiable statement according to a second preset algorithm;
the second preset algorithm may be set in practical applications as needed, for example, the MD5 algorithm, etc.
Step S104-10, associating the statement identification, the hash value and the validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement;
and step S104-12, storing the first record information into the block chain.
By generating the statement identifier of the verifiable statement and generating the verifiable statement based on the statement identifier, each verifiable statement can be effectively distinguished according to the statement identifier, and further, the access authority of each user to be authorized is distinguished according to the verifiable statement; moreover, by calculating the hash value of the verifiable statement and generating the first record information according to the calculated hash value, the statement identifier and the like, an effective basis can be provided for the verification of the subsequent resource access authority on the basis of ensuring the privacy of the granted resource access authority.
In one or more embodiments of the present specification, in consideration of different users having different usage habits of verifiable statements, a user to be authorized may select to keep the verifiable statements by himself, or may select to be replaced by a verifiable statement hosting platform to keep the verifiable statements, and to declare hosting party information of the verifiable statements in a document corresponding to the second digital identity information; correspondingly, as shown in fig. 8, step S106 includes:
s106-2, acquiring a document corresponding to the second digital identity information;
specifically, when the authority control node is a first block chain node, a corresponding document is inquired from the block chain according to the second digital identity information; when the authority control node is the authority control platform, sending a query request to the block chain link point according to the second digital identity information so that the block chain link point queries a corresponding document from the block chain according to the second digital identity information and sends the queried document to the authority control platform; or after the block chain link points inquire the corresponding documents from the block chain according to the second digital identity information, determining whether the documents comprise the information of the trusteeship capable of verifying the statement or not, and sending the determined result information to the authority control platform.
Step S106-4, determining whether the acquired document comprises the information of the trusteeship capable of verifying the statement, if so, executing step S106-6, otherwise, executing step S106-8;
step S106-6, the verifiable statement is sent to the hosting platform corresponding to the hosting party information, so that the hosting platform agent stores the verifiable statement for the user to be authorized;
step S106-8, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized.
Therefore, the authority control node generates the verifiable statement based on the authorization request sent by the first terminal device, so that the resource access authority granted by the resource holding user is proved through the verifiable statement, the resource access authorization of the resource holding user to the user to be authorized is completed, and the fine-grained resource access authorization to the partial users is realized. Then, the user to be authorized may access the corresponding resource based on the verifiable statement, and in order to ensure that the user to be authorized can only perform the operation corresponding to the granted access right on the resource, as shown in fig. 9, in one or more embodiments of the present specification, step S106 further includes:
step S108, receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
specifically, when a user to be authorized needs to access a resource, the resource is operated (such as clicking or double-clicking the resource), and when a third terminal device where the resource is located detects a resource access operation of the user to be authorized, an access information input interface can be displayed, so that the user to be authorized inputs own second digital identity information, access type information and the like, and when the access information input is completed, a submit button is clicked, so that an access request is sent to the third terminal device; when the third terminal equipment receives the access request, the access information submitted by the user to be authorized is obtained, and the access authority information to be verified is determined according to the access type information; and signing the third designated information according to a private key corresponding to the first digital identity information to obtain third signature data, generating an authentication request according to the third signature data, the determined access authority information, the first digital identity information, the second digital identity information and the like, and sending the authentication request to the authority control node.
The access type information includes read resources, write resources and the like, and the corresponding determined access authority information includes read authority, write authority and the like. The third specifying information may be set in a self-confident manner as required in actual applications, for example, the third specifying information includes one or more of the determined access right information, the first digital identity information, the second digital identity information, and the like. It should be noted that, when the user to be authorized keeps the verifiable statement by himself, the verifiable statement is uploaded through the access information input interface, and correspondingly, the authentication request further includes the verifiable statement.
Step S110, obtaining a verifiable statement;
as mentioned above, the authentication request further includes the third signature data, and accordingly, as shown in fig. 10, step S110 includes:
step S110', if the third signature data included in the authentication request is verified according to the public key corresponding to the acquired first digital identity information and it is determined that the access right information to be verified satisfies the preset access condition, a verifiable statement is acquired.
Specifically, a corresponding public key is obtained according to first digital identity information included in the authentication request; verifying the third signature data by using the obtained public key, and if the third signature data is not verified, sending a verification result of verification failure to the third terminal equipment; if the verification is passed, determining whether the access authority information to be verified simultaneously comprises first preset authority information and second preset authority information, if so, determining that the access authority information to be verified does not meet preset access conditions, and sending a verification result of verification failure to the third terminal equipment; if not, determining that the access authority information to be verified meets the preset access condition, and acquiring the verifiable statement so as to verify whether the access authority information included in the authentication request is within the granted access authority or not based on the verifiable statement. For the process of obtaining the public key corresponding to the first digital identity information, reference may be made to the foregoing related description, which is not described herein again.
Further, considering that an unauthorized user may also attempt to access the resource, in order to avoid accessing the blockchain multiple times due to the access of the unauthorized user, and in order to avoid excessive authentication operations due to the access of the unauthorized user, in one or more embodiments of the present specification, as shown in fig. 11, S110' may include:
step S110-2, if the third signature data included in the authentication request is verified according to the public key corresponding to the acquired first digital identity information and the access authority information to be verified meets the preset access condition, generating a declaration identification based on the first digital identity information and the second digital identity information included in the authentication request according to a first preset algorithm;
step S110-4, if the generated statement identification is determined to be included in the designated database, whether the authentication request includes a verifiable statement is determined, and if so, the step S110-6 is executed; otherwise, executing step S110-8;
specifically, whether the generated declaration identification is included in the designated database is determined, and if not, a verification result of verification failure is sent to the third terminal device; if so, determining whether the authentication request includes a verifiable statement, if the authentication request includes the verifiable statement, executing step S110-6, and if the authentication request does not include the verifiable statement, executing step S110-8.
Step S110-6, obtaining the verifiable statement from the authentication request, and executing step S112;
step S110-8, obtaining a document corresponding to the second digital identity information, and sending a request for obtaining a verifiable statement to a corresponding hosting platform according to the generated statement identifier and the hosting party information contained in the obtained document;
the process of obtaining the document corresponding to the second digital identity information may refer to the foregoing related description, and repeated details are not repeated here.
Step S110-10, receiving the verifiable statement sent by the hosting platform, and executing step S112.
Therefore, before the verifiable statement is obtained, whether the user currently accessing the resource holds the verifiable statement or not, namely whether the user has the right to access the resource or not can be verified in time by generating the statement identification and determining whether the generated statement identification is included in the specified database or not.
Step S112, verifying the access authority information to be verified based on the first record information stored in the block chain and the obtained verifiable statement;
specifically, as shown in fig. 12, step S112 includes:
step S112-2, if the generated statement identification is matched with the statement identification included in the obtained verifiable statement, inquiring related first record information from the block chain according to the statement identification;
specifically, the generated statement identification is matched with the statement identification in the verifiable statement, if the statement identification is consistent with the statement identification in the verifiable statement, the matching is determined to be successful, and the associated first record information is inquired from the block chain according to the statement identification; and if the verification result is inconsistent with the verification result, determining that the matching fails, and sending the verification failure result to the third terminal equipment.
If the access right change process is performed before step S108, step S112-2 includes: if the generated statement identification is matched with the statement identification included in the obtained verifiable statement, inquiring the related last piece of record information from the block chain according to the statement identification; the process of changing the access authority will be described in detail later.
Step S112-4, if the validity field included in the queried first record information represents that the obtained verifiable declaration is in a valid state, the second signature data in the obtained verifiable declaration is verified to pass, and the access right information in the obtained verifiable declaration includes the access right information to be verified, determining that the access right information to be verified is verified to pass.
Specifically, whether the validity field in the inquired first record information represents that the verifiable statement is in a valid state is determined, and if not, a verification result of verification failure is sent to the third terminal device; if the verification fails, a verification result of verification failure is sent to the third terminal device; and if the verification is passed, determining whether the access authority information in the obtained verifiable statement comprises the access authority information to be verified, if so, determining that the access authority information to be verified passes the verification, and if not, sending a verification result of verification failure to the third terminal equipment. It should be noted that the verification sequence of the validity field, the second signature data, and the access right information is not limited to the above sequence, and may be set in an actual application as needed.
Step S114, sending the verification result to the third terminal device, so that the third terminal device determines whether to allow the user to be authorized to access the resource according to the verification result.
Therefore, on the basis of realizing fine-grained resource access authorization to partial users, the authority control node can also verify the resource access authority based on the record information and the verifiable statement in the block chain, so that only authorized users can access corresponding resources, and the development requirement of services is met. It should be noted that, when the permission control node is the first blockchain node, the access permission information to be verified may be verified based on the intelligent contract in the blockchain.
In view of the fact that in practical applications, due to the change of personas or the change of business, the user holding the resource may have a need to change the granted resource access right, in one or more embodiments of the present specification, as shown in fig. 13, step S106 may further include:
step S202, receiving a permission change request sent by a first terminal device; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
specifically, when a user holding the resource needs to change the access right of the resource granted to the user to be authorized, operating a first terminal device of the user to be authorized, and editing first digital identity information of the resource, second digital identity information of the user to be authorized, the access right information to be changed and the like; the first terminal equipment responds to the authority change operation of the resource holding user, generates an authority change request according to the acquired first digital identity information, the second digital identity information of the user to be authorized and the access authority information to be changed, and sends the authority change request to the authority control node; and the authority control node receives the authority change request sent by the first terminal equipment.
Step S204, if the access authority information to be changed meets the preset changing condition, carrying out access authority changing processing according to the access authority information to be changed;
specifically, as shown in fig. 14, step S204 includes:
step S204-2, if the access authority information to be changed is determined to meet the preset changing condition, generating an original declaration identification based on the first digital identity information and the second digital identity information included in the authority changing request according to a first preset algorithm;
wherein, the permission change request includes fourth signature data obtained by signing the fourth specifying information with the first digital identity information, and correspondingly, the step S204-2 includes: if the fourth signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information to be changed does not simultaneously comprise the first preset authority information and the second preset authority information, determining that the access authority information to be changed meets the preset changing condition; and generating an original declaration identification based on the first digital identity information and the second digital identity information according to a first preset algorithm. The process of generating the original declaration identifier may refer to the foregoing related description, and is not described herein again.
Step S204-4, if the verifiable statement corresponding to the original statement identification is determined to be in the valid state, the original statement identification and the validity field representing the verifiable statement to be in the invalid state are recorded in an associated manner, the recorded information is determined to be second recorded information of the verifiable statement, and the second recorded information is stored in a block chain;
in order to avoid conflict between the resource access right after the change and the resource access right before the change, in one or more embodiments of the present specification, when the resource access right is changed, the resource access right before the change needs to be revoked first, that is, the verifiable statement before the change needs to be set to an invalid state.
Optionally, in one or more embodiments, the permission change request does not include a declaration identification of the verifiable declaration before the change, and accordingly, the determining that the verifiable declaration corresponding to the original declaration identification is in a valid state in step S204-4 includes: if the specified database comprises the original declaration identification and the target validity field representation verifiable declaration obtained from the block chain according to the original declaration identification is in the valid state, determining that the verifiable declaration corresponding to the original declaration identification is in the valid state;
specifically, whether the specified database comprises the calculated original statement identifier is determined, and if not, failure change information is sent to the first terminal device; if so, inquiring related last record information from the block chain according to the sequence of the time for storing the record information to the block chain, determining a validity field in the last record information as a target validity field, determining whether the target validity field represents that the verifiable statement is in a valid state, if so, determining that the verifiable statement corresponding to the original statement identifier is in a valid state, recording the original statement identifier and the validity field representing that the verifiable statement is in a invalid state in a related manner, determining the record information as second record information of the verifiable statement, and storing the second record information into the block chain; if not, determining that the verifiable declaration corresponding to the original declaration identification is in an invalid state, and executing step S204-6.
Optionally, in another embodiment or in multiple embodiments, the permission change request includes a declaration identification of the verifiable declaration before the change, and accordingly, the determining that the verifiable declaration corresponding to the original declaration identification is in a valid state in step S204-4 includes: and if the calculated original declaration identification is determined to be matched with the declaration identification included in the permission change request, the calculated original declaration identification is included in the designated database, and the verifiable declaration is represented to be in the valid state according to the target validity field obtained from the block chain by the original declaration identification, determining that the verifiable declaration corresponding to the original declaration identification is in the valid state.
Specifically, whether the calculated original statement identifier is the same as the statement identifier included in the permission change request is determined, and if not, change failure information is sent to the first terminal device; if yes, determining whether the designated database comprises the calculated original statement identification, and if not, sending failure change information to the first terminal equipment; if yes, inquiring related last record information from the block chain according to the sequence of the time for storing the record information to the block chain, determining a validity field in the last record information as a target validity field, determining whether the target validity field represents that the verifiable statement is in a valid state, if yes, determining that the verifiable statement corresponding to the original statement identifier is in a valid state, recording the original statement identifier and the validity field representing that the verifiable statement is in a invalid state in a related manner, determining the record information as second record information of the verifiable statement, and storing the second record information into the block chain; if not, determining that the verifiable declaration corresponding to the original declaration identification is in an invalid state, and executing step S204-6.
Step S204-6, generating a new declaration identification based on the first digital identity information, the second digital identity information and the original declaration identification according to a first preset algorithm;
the first preset algorithm may be set in an actual application as needed, as described above, for example, the sha256 algorithm, and accordingly, step S204-6 may include: and splicing the first digital identity information, the second digital identity information and the original declaration identification to obtain a spliced character string, calculating the obtained spliced character string according to the sha256 algorithm, and determining the calculation result as a new declaration identification.
Step S204-8, generating a new verifiable statement according to the new statement identification, the first digital identity information, the second digital identity information and the access authority information to be changed, and storing the first record information of the new verifiable statement into the block chain.
The process of generating a new verifiable statement is similar to the process of generating a verifiable statement, and reference may be made to the foregoing related description, which is not repeated here.
Further, in order to facilitate operations such as verifying the changed access right, the method further includes, after step S204-8: and updating the original declaration identification stored in the specified database into the generated new declaration identification, namely deleting the original declaration identification stored in the specified database and storing the new declaration identification into the specified database.
Step S204-10, sending the new verifiable statement to the first terminal equipment, so that the first terminal equipment sends the new verifiable statement to the second terminal equipment of the user to be authorized; or sending the new verifiable declaration and the original declaration identification to the hosting platform, so that the hosting platform agent updates the verifiable declaration corresponding to the saved original declaration identification to the new verifiable declaration.
Specifically, a corresponding document is inquired from the block chain according to second digital identity information included in the permission change request, whether the inquired document includes the hosting party information or not is determined, and if not, a new verifiable statement is sent to the first terminal device, so that the first terminal device sends the new verifiable statement to the second terminal device of the user to be authorized; if yes, sending the new verifiable statement and the original statement identification to the hosting platform, so that the hosting platform agent inquires the corresponding stored verifiable statement according to the original statement identification, deletes the inquired verifiable statement and stores the received new verifiable statement.
Step S206, sending the permission change result to the first terminal device.
It should be noted that, when the new verifiable statement is sent to the first terminal device in step S204-10, the new verifiable statement may be sent to the first terminal device together with the right change result that the change is successful, or the right change result that the change is successful may be sent to the first terminal device after the new verifiable statement is sent to the first terminal device.
In the above, when the authority control node receives the authority change request, the original verifiable statement is set to be in an invalid state, and a new verifiable statement is generated based on the access authority information to be changed, so as to realize the change of the access authority; the method and the device realize the change of the granted resource access authority on the basis of realizing fine-grained resource access authorization to partial users, and can better adapt to the development requirement of services. Note that, when the authority control node is the first blockchain node, verification of change conditions, change processing, and the like may be performed based on the smart contracts in the blockchain.
In one or more embodiments of the present specification, a verifiable statement is generated according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the access right to the resource to the user to be authorized, so that the user to be authorized can access the corresponding resource based on the verifiable statement; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
The method described above with reference to fig. 5 to 14 is based on the same technical concept, and one or more embodiments of the present specification further provide a resource access device. Fig. 15 is a schematic diagram illustrating a module composition of a resource access device according to one or more embodiments of the present disclosure, where the resource access device is configured to perform the methods described in fig. 2 to 14, and as shown in fig. 15, the resource access device includes:
a receiving module 301, configured to receive an authorization request sent by a first terminal device of a user holding a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
a first generating module 302, which generates a verifiable statement according to the first digital identity information, the second digital identity information and the access right information;
a saving module 303, configured to save the first record information of the verifiable declaration into a blockchain;
a sending module 304, configured to send the verifiable statement to the first terminal device, so that the first terminal device sends the verifiable statement to a second terminal device of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
The resource access device provided in one or more embodiments of the present specification generates a verifiable declaration according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable declaration; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
Optionally, the first generating module 302 generates a verifiable statement according to the first digital identity information, the second digital identity information, and the access right information if it is determined that the access right information satisfies a preset authorization condition.
Optionally, the authorization request further includes: first signature data; the first signature data is obtained by signing first specified information by using a private key corresponding to the first digital identity information;
the first generating module 302, if the first signature data passes verification according to the public key corresponding to the acquired first digital identity information and it is determined that the access right information does not include first preset right information and second preset right information at the same time, determining that the access right information meets a preset authorization condition; and the authority corresponding to the first preset authority information and the authority corresponding to the second preset authority information are mutually exclusive authorities.
Optionally, the sending module 304 sends authorization failure information to the first terminal device if the first generating module 302 determines that the access right information does not satisfy a preset authorization condition.
Optionally, the apparatus further comprises: a second generation module;
the second generating module generates the declaration identifier of the verifiable declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm after the receiving module 301 receives the authorization request sent by the first terminal device of the user holding the resource.
Optionally, the first generating module 302 obtains second signature data, where the second signature data is obtained by signing second specified information with a private key corresponding to the first digital identity information; and the number of the first and second groups,
and generating a verifiable statement according to the statement identification, the second signature data, the first digital identity information, the second digital identity information and the access authority information.
Optionally, the saving module 303 calculates a hash value of the verifiable statement according to a second preset algorithm; and the number of the first and second groups,
associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement;
and saving the first record information to the block chain.
Optionally, the sending module 304 is configured to obtain a document corresponding to the second digital identity information; and the number of the first and second groups,
determining whether hosting party information of the verifiable claims is included in the document;
if so, sending the verifiable statement to the hosting platform corresponding to the hosting party information so that the hosting platform proxies the user to be authorized to store the verifiable statement;
if not, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized.
Optionally, the apparatus further comprises: an acquisition module and a verification module;
the receiving module 301 receives an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
the acquisition module acquires the verifiable statement;
the verification module verifies the access authority information to be verified based on the first record information stored in the block chain and the obtained verifiable statement;
the sending module 304 sends a verification result to the third terminal device, so that the third terminal device determines whether to allow the user to be authorized to access the resource according to the verification result.
Optionally, the authentication request further includes: third signature data; the third signature data is obtained by signing third specified information by using a private key corresponding to the first digital identity information;
the obtaining module obtains the verifiable statement if the third signature data passes verification according to the public key corresponding to the obtained first digital identity information and the access authority information to be verified meets a preset access condition.
Optionally, the authentication request further includes: the first digital identity information and the second digital identity information;
the saving module 303, after the second generating module generates the declaration identifier of the verifiable declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm, saves the declaration identifier into a specified database;
the acquisition module generates a declaration identifier based on the first digital identity information and the second digital identity information according to the first preset algorithm; and the number of the first and second groups,
if the generated statement identification is determined to be included in the specified database, determining whether the authentication request includes the verifiable statement;
if yes, obtaining the verifiable statement from the authentication request;
if not, acquiring a document corresponding to the second digital identity information;
sending an acquisition request of a verifiable statement to a corresponding hosting platform according to the generated statement identification and the hosting party information included in the document;
receiving the verifiable claim sent by the hosting platform.
Optionally, if the declaration identifier generated by the second generation module matches the declaration identifier included in the obtained verifiable declaration, the verification module queries associated first record information from a block chain according to the declaration identifier; and the number of the first and second groups,
and if the validity field included in the inquired first record information represents that the obtained verifiable statement is in a valid state, the second signature data in the obtained verifiable statement passes verification, and the obtained access authority information in the verifiable statement comprises the access authority information to be verified, determining that the access authority information to be verified passes verification.
Optionally, the apparatus further comprises: a change module;
the receiving module 301 further receives a permission change request sent by the first terminal device; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
the change module is used for carrying out access authority change processing according to the access authority information to be changed if the access authority information to be changed is determined to meet the preset change condition;
the sending module 304 sends the permission change result to the first terminal device.
Optionally, the permission change request further includes: the first digital identity information and the second digital identity information;
the change module generates an original declaration identifier based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the verifiable statement corresponding to the original statement identification is determined to be in the valid state, the original statement identification and a validity field which represents that the verifiable statement is in the invalid state are associated to record, the recorded information is determined to be second recorded information of the verifiable statement, and the second recorded information is stored in the block chain; and the number of the first and second groups,
generating a new declaration identification based on the first digital identity information, the second digital identity information and the original declaration identification according to the first preset algorithm;
generating a new verifiable statement according to the new statement identification, the first digital identity information, the second digital identity information and the access authority information to be changed, and storing the first record information of the new verifiable statement into the block chain
Sending the new verifiable statement to the first terminal equipment so that the first terminal equipment sends the new verifiable statement to the second terminal equipment of the user to be authorized; or sending the new verifiable declaration and the original declaration identification to the hosting platform, so that the hosting platform agent updates the verifiable declaration corresponding to the saved original declaration identification to the new verifiable declaration.
Optionally, the saving module 303 is configured to, after the second generating module generates the declaration identifier of the verifiable declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm, save the declaration identifier into a designated database;
optionally, if it is determined that the specified database includes the original declaration identification and the verifiable declaration is in a valid state according to the target validity field representation obtained by the original declaration identification from the block chain, the change module determines that the verifiable declaration corresponding to the original declaration identification is in a valid state; or,
and if the original statement identification is determined to be matched with the statement identification included in the permission change request, the original statement identification is included in the specified database, and the verifiable statement is represented to be in a valid state according to a target validity field obtained from the block chain by the original statement identification, determining that the verifiable statement corresponding to the original statement identification is in a valid state.
Optionally, the saving module 303 updates the original declaration identifier saved in the designated database to the new declaration identifier after the changing module generates a new declaration identifier.
The resource access device provided in one or more embodiments of the present specification generates a verifiable declaration according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable declaration; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
It should be noted that the embodiment of the resource access apparatus in this specification and the embodiment of the resource access method in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the foregoing corresponding resource access method, and repeated details are not described again.
Further, corresponding to the methods described in fig. 5 to fig. 14, based on the same technical concept, one or more embodiments of the present specification further provide a resource access device, where the resource access device is configured to perform the methods described in fig. 5 to fig. 14, and fig. 16 is a schematic structural diagram of a resource access device provided in one or more embodiments of the present specification.
As shown in fig. 16, the resource access device may have a relatively large difference due to different configurations or performances, and may include one or more processors 401 and a memory 402, where one or more stored applications or data may be stored in the memory 402. Wherein memory 402 may be transient or persistent. The application program stored in memory 402 may include one or more modules (not shown), each of which may include a series of computer-executable instructions in a resource access device. Still further, the processor 401 may be configured to communicate with the memory 402 to execute a series of computer-executable instructions in the memory 402 on a resource access device. The resource access apparatus may also include one or more power supplies 403, one or more wired or wireless network interfaces 404, one or more input-output interfaces 405, one or more keyboards 406, and the like.
In one particular embodiment, a resource access device includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the resource access device, and the one or more programs configured to be executed by one or more processors include computer-executable instructions for:
receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information, and storing first record information of the verifiable statement into a block chain;
sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to second terminal equipment of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
The resource access device provided in one or more embodiments of the present specification generates a verifiable declaration according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable declaration; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
Optionally, the computer executable instructions, when executed, generate a verifiable claim based on the first digital identity information, the second digital identity information, and the access rights information, comprising:
and if the access authority information is determined to meet the preset authorization condition, generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information.
Optionally, the computer executable instructions, when executed, further comprise: first signature data; the first signature data is obtained by signing first specified information by using a private key corresponding to the first digital identity information;
the determining that the access right information meets a preset authorization condition includes:
if the first signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information is determined not to simultaneously comprise first preset authority information and second preset authority information, determining that the access authority information meets a preset authorization condition; and the authority corresponding to the first preset authority information and the authority corresponding to the second preset authority information are mutually exclusive authorities.
Optionally, the computer executable instructions, when executed, further comprise:
and if the access authority information is determined not to meet the preset authorization condition, sending authorization failure information to the first terminal equipment.
Optionally, the computer executable instructions, when executed, further include, after receiving an authorization request sent by a first terminal device of a holding user of a resource:
generating a claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information according to a first preset algorithm.
Optionally, the computer executable instructions, when executed, generate a verifiable claim based on the first digital identity information, the second digital identity information, and the access rights information, comprising:
acquiring second signature data, wherein the second signature data is obtained by signing second specified information by using a private key corresponding to the first digital identity information;
and generating a verifiable statement according to the statement identification, the second signature data, the first digital identity information, the second digital identity information and the access authority information.
Optionally, the computer executable instructions, when executed, saving the record information of the verifiable assertion into a blockchain, include:
calculating a hash value of the verifiable statement according to a second preset algorithm;
associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement;
and saving the first record information to the block chain.
Optionally, the computer-executable instructions, when executed, send the verifiable statement to the first terminal device to cause the first terminal device to send the verifiable statement to a second terminal device of the user to be authorized; or, sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration, including:
acquiring a document corresponding to the second digital identity information;
determining whether hosting party information of the verifiable claims is included in the document;
if so, sending the verifiable statement to the hosting platform corresponding to the hosting party information so that the hosting platform proxies the user to be authorized to store the verifiable statement;
if not, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized.
Optionally, the computer executable instructions, when executed, further comprise:
receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
obtaining the verifiable statement;
verifying the access authority information to be verified based on the first record information saved by the block chain and the obtained verifiable statement;
and sending a verification result to the third terminal equipment so that the third terminal equipment determines whether to allow the user to be authorized to access the resource according to the verification result.
Optionally, the computer executable instructions, when executed, further comprise: third signature data; the third signature data is obtained by signing third specified information by using a private key corresponding to the first digital identity information;
the obtaining the verifiable claims includes:
and if the third signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information to be verified meets a preset access condition, acquiring the verifiable statement.
Optionally, the computer executable instructions, when executed, further comprise: the first digital identity information and the second digital identity information;
after the generating, according to a first preset algorithm, the claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information, the method further includes:
saving the declaration identification to a designated database;
the obtaining the verifiable claims includes:
generating a declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the generated statement identification is determined to be included in the specified database, determining whether the authentication request includes the verifiable statement;
if yes, obtaining the verifiable statement from the authentication request;
if not, acquiring a document corresponding to the second digital identity information; and the number of the first and second groups,
sending an acquisition request of a verifiable statement to a corresponding hosting platform according to the generated statement identification and the hosting party information included in the document;
receiving the verifiable claim sent by the hosting platform.
Optionally, when executed, the computer-executable instructions perform verification on the access right information to be verified based on the first record information saved by the blockchain and the obtained verifiable statement, including:
if the generated statement identification is matched with the statement identification included in the acquired verifiable statement, inquiring related first record information from a block chain according to the statement identification;
and if the validity field included in the inquired first record information represents that the obtained verifiable statement is in a valid state, the second signature data in the obtained verifiable statement passes verification, and the obtained access authority information in the verifiable statement comprises the access authority information to be verified, determining that the access authority information to be verified passes verification.
Optionally, the computer executable instructions, when executed, further comprise:
receiving a permission change request sent by the first terminal equipment; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
if the access authority information to be changed meets the preset changing condition, carrying out access authority changing processing according to the access authority information to be changed;
and sending the permission change result to the first terminal equipment.
Optionally, when executed by computer-executable instructions, the permission change request further comprises: the first digital identity information and the second digital identity information;
the process of changing the access authority according to the information of the access authority to be changed comprises the following steps:
generating an original declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the verifiable statement corresponding to the original statement identification is determined to be in the valid state, the original statement identification and a validity field which represents that the verifiable statement is in the invalid state are associated to record, the recorded information is determined to be second recorded information of the verifiable statement, and the second recorded information is stored in the block chain; and the number of the first and second groups,
generating a new declaration identification based on the first digital identity information, the second digital identity information and the original declaration identification according to the first preset algorithm;
generating a new verifiable statement according to the new statement identification, the first digital identity information, the second digital identity information and the access authority information to be changed, and storing the first record information of the new verifiable statement into the block chain
Sending the new verifiable statement to the first terminal equipment so that the first terminal equipment sends the new verifiable statement to the second terminal equipment of the user to be authorized; or sending the new verifiable declaration and the original declaration identification to the hosting platform, so that the hosting platform agent updates the verifiable declaration corresponding to the saved original declaration identification to the new verifiable declaration.
Optionally, when executed, the computer-executable instructions, after generating, according to a first preset algorithm, a claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information, further include:
saving the declaration identification to a designated database;
the determining that the verifiable claim corresponding to the original claim identification is in a valid state comprises:
if the specified database comprises the original declaration identification and the verifiable declaration is represented to be in the valid state according to the target validity field obtained from the block chain by the original declaration identification, determining that the verifiable declaration corresponding to the original declaration identification is in the valid state; or,
and if the original statement identification is determined to be matched with the statement identification included in the permission change request, the original statement identification is included in the specified database, and the verifiable statement is represented to be in a valid state according to a target validity field obtained from the block chain by the original statement identification, determining that the verifiable statement corresponding to the original statement identification is in a valid state.
Optionally, the computer executable instructions, when executed, further comprise, after generating the new claim identification:
and updating the original declaration identification stored in the designated database into the new declaration identification.
The resource access device provided in one or more embodiments of the present specification generates a verifiable declaration according to the first digital identity information of the resource, the second digital identity information of the user to be authorized, the access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable declaration; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
It should be noted that the embodiment of the resource access device in this specification and the embodiment of the resource access method in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the foregoing corresponding resource access method, and repeated details are not described again.
Further, based on the same technical concept, corresponding to the methods shown in fig. 5 to 14, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instructions, where in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, and the like, and the storage medium stores computer-executable instructions that, when executed by a processor, implement the following processes:
receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information, and storing first record information of the verifiable statement into a block chain;
sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to second terminal equipment of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration.
When executed by a processor, computer-executable instructions stored in a storage medium provided in one or more embodiments of the present specification generate a verifiable statement according to first digital identity information of a resource, second digital identity information of a user to be authorized, access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable statement; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
Optionally, the storage medium stores computer executable instructions that, when executed by a processor, generate a verifiable claim based on the first digital identity information, the second digital identity information, and the access rights information, comprising:
and if the access authority information is determined to meet the preset authorization condition, generating a verifiable statement according to the first digital identity information, the second digital identity information and the access authority information.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise: first signature data; the first signature data is obtained by signing first specified information by using a private key corresponding to the first digital identity information;
the determining that the access right information meets a preset authorization condition includes:
if the first signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information is determined not to simultaneously comprise first preset authority information and second preset authority information, determining that the access authority information meets a preset authorization condition; and the authority corresponding to the first preset authority information and the authority corresponding to the second preset authority information are mutually exclusive authorities.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
and if the access authority information is determined not to meet the preset authorization condition, sending authorization failure information to the first terminal equipment.
Optionally, the storage medium stores computer-executable instructions, which when executed by the processor, further include, after receiving an authorization request sent by a first terminal device of a holding user of a resource:
generating a claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information according to a first preset algorithm.
Optionally, the storage medium stores computer executable instructions that, when executed by a processor, generate a verifiable claim based on the first digital identity information, the second digital identity information, and the access rights information, comprising:
acquiring second signature data, wherein the second signature data is obtained by signing second specified information by using a private key corresponding to the first digital identity information;
and generating a verifiable statement according to the statement identification, the second signature data, the first digital identity information, the second digital identity information and the access authority information.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, save the record information of the verifiable assertion into the blockchain, including:
calculating a hash value of the verifiable statement according to a second preset algorithm;
associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement;
and saving the first record information to the block chain.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, cause the first terminal device to send the verifiable claim to the first terminal device to cause the first terminal device to send the verifiable claim to a second terminal device of the user to be authorized; or, sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration, including:
acquiring a document corresponding to the second digital identity information;
determining whether hosting party information of the verifiable claims is included in the document;
if so, sending the verifiable statement to the hosting platform corresponding to the hosting party information so that the hosting platform proxies the user to be authorized to store the verifiable statement;
if not, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
obtaining the verifiable statement;
verifying the access authority information to be verified based on the first record information saved by the block chain and the obtained verifiable statement;
and sending a verification result to the third terminal equipment so that the third terminal equipment determines whether to allow the user to be authorized to access the resource according to the verification result.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise: third signature data; the third signature data is obtained by signing third specified information by using a private key corresponding to the first digital identity information;
the obtaining the verifiable claims includes:
and if the third signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information to be verified meets a preset access condition, acquiring the verifiable statement.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise: the first digital identity information and the second digital identity information;
after the generating, according to a first preset algorithm, the claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information, the method further includes:
saving the declaration identification to a designated database;
the obtaining the verifiable claims includes:
generating a declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the generated statement identification is determined to be included in the specified database, determining whether the authentication request includes the verifiable statement;
if yes, obtaining the verifiable statement from the authentication request;
if not, acquiring a document corresponding to the second digital identity information; and the number of the first and second groups,
sending an acquisition request of a verifiable statement to a corresponding hosting platform according to the generated statement identification and the hosting party information included in the document;
receiving the verifiable claim sent by the hosting platform.
Optionally, when executed by a processor, the verifying the access right information to be verified based on the first record information saved by the block chain and the obtained verifiable statement includes:
if the generated statement identification is matched with the statement identification included in the acquired verifiable statement, inquiring related first record information from a block chain according to the statement identification;
and if the validity field included in the inquired first record information represents that the obtained verifiable statement is in a valid state, the second signature data in the obtained verifiable statement passes verification, and the obtained access authority information in the verifiable statement comprises the access authority information to be verified, determining that the access authority information to be verified passes verification.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise:
receiving a permission change request sent by the first terminal equipment; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
if the access authority information to be changed meets the preset changing condition, carrying out access authority changing processing according to the access authority information to be changed;
and sending the permission change result to the first terminal equipment.
Optionally, when the storage medium stores computer-executable instructions that are executed by the processor, the permission change request further includes: the first digital identity information and the second digital identity information;
the process of changing the access authority according to the information of the access authority to be changed comprises the following steps:
generating an original declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the verifiable statement corresponding to the original statement identification is determined to be in the valid state, the original statement identification and a validity field which represents that the verifiable statement is in the invalid state are associated to record, the recorded information is determined to be second recorded information of the verifiable statement, and the second recorded information is stored in the block chain; and the number of the first and second groups,
generating a new declaration identification based on the first digital identity information, the second digital identity information and the original declaration identification according to the first preset algorithm;
generating a new verifiable statement according to the new statement identification, the first digital identity information, the second digital identity information and the access authority information to be changed, and storing the first record information of the new verifiable statement into the block chain
Sending the new verifiable statement to the first terminal equipment so that the first terminal equipment sends the new verifiable statement to the second terminal equipment of the user to be authorized; or sending the new verifiable declaration and the original declaration identification to the hosting platform, so that the hosting platform agent updates the verifiable declaration corresponding to the saved original declaration identification to the new verifiable declaration.
Optionally, the storage medium stores computer-executable instructions that, when executed by the processor, further comprise, after generating the claim identifier of the verifiable claim based on the first digital identity information and the second digital identity information according to a first preset algorithm:
saving the declaration identification to a designated database;
the determining that the verifiable claim corresponding to the original claim identification is in a valid state comprises:
if the specified database comprises the original declaration identification and the verifiable declaration is represented to be in the valid state according to the target validity field obtained from the block chain by the original declaration identification, determining that the verifiable declaration corresponding to the original declaration identification is in the valid state; or,
and if the original statement identification is determined to be matched with the statement identification included in the permission change request, the original statement identification is included in the specified database, and the verifiable statement is represented to be in a valid state according to a target validity field obtained from the block chain by the original statement identification, determining that the verifiable statement corresponding to the original statement identification is in a valid state.
Optionally, the storage medium stores computer executable instructions that, when executed by the processor, further comprise, after said generating a new declaration identification:
and updating the original declaration identification stored in the designated database into the new declaration identification.
When executed by a processor, computer-executable instructions stored in a storage medium provided in one or more embodiments of the present specification generate a verifiable statement according to first digital identity information of a resource, second digital identity information of a user to be authorized, access right information to be granted, and the like, so as to grant the user to be authorized access right to the resource, so that the user to be authorized can access the corresponding resource based on the verifiable statement; therefore, fine-grained resource access authorization to part of users is realized, and the service development requirement can be better met; moreover, the first record information of the verifiable statement is stored in the block chain, so that the validity of authorization is ensured, and a valid basis can be provided for the verification of the access right.
It should be noted that the embodiment of the storage medium in this specification and the embodiment of the resource access method in this specification are based on the same inventive concept, and therefore, for specific implementation of this embodiment, reference may be made to implementation of the foregoing corresponding resource access method, and repeated details are not described again.
The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
In the 30 s of the 30 th century, improvements in a technology could clearly be distinguished between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), traffic, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), langue, Lola, HDL, laspam, hardsradware (Hardware Description Language), vhjhd (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K30, and Silicone Labs C8051F330, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the units may be implemented in the same software and/or hardware or in multiple software and/or hardware when implementing the embodiments of the present description.
One skilled in the art will recognize that one or more embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of this document and is not intended to limit this document. Various modifications and changes may occur to those skilled in the art from this document. Any modifications, equivalents, improvements, etc. which come within the spirit and principle of the disclosure are intended to be included within the scope of the claims of this document.

Claims (16)

1. A method of resource access, comprising:
receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
if the access authority information is determined to meet the preset authorization condition, generating a declaration identification capable of verifying a declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm;
generating a verifiable statement according to the first digital identity information, the second digital identity information, the access authority information and the statement identification;
calculating a hash value of the verifiable statement according to a second preset algorithm; associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement; storing the first record information into a block chain;
sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to second terminal equipment of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration; and the number of the first and second groups,
receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
acquiring the verifiable statement, and verifying the access authority information to be verified based on the first record information saved by the block chain and the acquired verifiable statement;
and sending a verification result to the third terminal equipment so that the third terminal equipment determines whether to allow the user to be authorized to access the resource according to the verification result.
2. The method of claim 1, the authorization request further comprising: first signature data; the first signature data is obtained by signing first specified information by using a private key corresponding to the first digital identity information;
the determining that the access right information meets a preset authorization condition includes:
if the first signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information is determined not to simultaneously comprise first preset authority information and second preset authority information, determining that the access authority information meets a preset authorization condition; and the authority corresponding to the first preset authority information and the authority corresponding to the second preset authority information are mutually exclusive authorities.
3. The method of claim 1 or 2, further comprising:
and if the access authority information is determined not to meet the preset authorization condition, sending authorization failure information to the first terminal equipment.
4. The method of claim 1, the generating a verifiable claim from the first digital identity information, the second digital identity information, the access rights information, and the claim identification, comprising:
acquiring second signature data, wherein the second signature data is obtained by signing second specified information by using a private key corresponding to the first digital identity information;
and generating a verifiable statement according to the statement identification, the second signature data, the first digital identity information, the second digital identity information and the access authority information.
5. The method of claim 1, said sending the verifiable assertion to the first terminal device to cause the first terminal device to send the verifiable assertion to a second terminal device of the user to be authorized; or, sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration, including:
acquiring a document corresponding to the second digital identity information;
determining whether hosting party information of the verifiable claims is included in the document;
if so, sending the verifiable statement to the hosting platform corresponding to the hosting party information so that the hosting platform proxies the user to be authorized to store the verifiable statement;
if not, the verifiable statement is sent to the first terminal equipment, so that the first terminal equipment sends the verifiable statement to the second terminal equipment of the user to be authorized.
6. The method of claim 1, the authentication request further comprising: third signature data; the third signature data is obtained by signing third specified information by using a private key corresponding to the first digital identity information;
the obtaining the verifiable claims includes:
and if the third signature data passes verification according to the public key corresponding to the acquired first digital identity information and the access authority information to be verified meets a preset access condition, acquiring the verifiable statement.
7. The method of claim 1, the authentication request further comprising: the first digital identity information and the second digital identity information;
after generating a claim identifier of a verifiable claim based on the first digital identity information and the second digital identity information according to a first preset algorithm, the method further includes:
saving the declaration identification to a designated database;
the obtaining the verifiable claims includes:
generating a declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the generated statement identification is determined to be included in the specified database, determining whether the authentication request includes the verifiable statement;
if yes, obtaining the verifiable statement from the authentication request;
if not, acquiring a document corresponding to the second digital identity information; and the number of the first and second groups,
sending an acquisition request of a verifiable statement to a corresponding hosting platform according to the generated statement identification and the hosting party information included in the document;
receiving the verifiable claim sent by the hosting platform.
8. The method according to claim 7, wherein the verifying the access right information to be verified based on the first record information saved by the blockchain and the obtained verifiable declaration comprises:
if the generated statement identification is matched with the statement identification included in the acquired verifiable statement, inquiring related first record information from a block chain according to the statement identification;
and if the validity field included in the inquired first record information represents that the obtained verifiable statement is in a valid state, the second signature data in the obtained verifiable statement passes verification, and the obtained access authority information in the verifiable statement comprises the access authority information to be verified, determining that the access authority information to be verified passes verification.
9. The method of claim 1, further comprising:
receiving a permission change request sent by the first terminal equipment; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
if the access authority information to be changed meets the preset changing condition, carrying out access authority changing processing according to the access authority information to be changed;
and sending the permission change result to the first terminal equipment.
10. The method of claim 9, the permission change request further comprising: the first digital identity information and the second digital identity information;
the process of changing the access authority according to the information of the access authority to be changed comprises the following steps:
generating an original declaration identification based on the first digital identity information and the second digital identity information according to the first preset algorithm;
if the verifiable statement corresponding to the original statement identification is determined to be in the valid state, the original statement identification and a validity field which represents that the verifiable statement is in the invalid state are associated to record, the recorded information is determined to be second recorded information of the verifiable statement, and the second recorded information is stored in the block chain; and the number of the first and second groups,
generating a new declaration identification based on the first digital identity information, the second digital identity information and the original declaration identification according to the first preset algorithm;
generating a new verifiable statement according to the new statement identification, the first digital identity information, the second digital identity information and the access authority information to be changed, and storing first record information of the new verifiable statement into the block chain;
sending the new verifiable statement to the first terminal equipment so that the first terminal equipment sends the new verifiable statement to the second terminal equipment of the user to be authorized; or sending the new verifiable declaration and the original declaration identification to the hosting platform, so that the hosting platform agent updates the verifiable declaration corresponding to the saved original declaration identification to the new verifiable declaration.
11. The method of claim 10, further comprising, after generating the claim identification of the verifiable claim based on the first digital identity information and the second digital identity information according to a first preset algorithm:
saving the declaration identification to a designated database;
the determining that the verifiable claim corresponding to the original claim identification is in a valid state comprises:
if the specified database comprises the original declaration identification and the verifiable declaration is represented to be in the valid state according to the target validity field obtained from the block chain by the original declaration identification, determining that the verifiable declaration corresponding to the original declaration identification is in the valid state; or,
and if the original statement identification is determined to be matched with the statement identification included in the permission change request, the original statement identification is included in the specified database, and the verifiable statement is represented to be in a valid state according to a target validity field obtained from the block chain by the original statement identification, determining that the verifiable statement corresponding to the original statement identification is in a valid state.
12. The method of claim 11, after generating the new claim identification, further comprising:
and updating the original declaration identification stored in the designated database into the new declaration identification.
13. A resource access device, comprising:
a receiving module, which receives an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
a second generation module, configured to generate a declaration identifier of a verifiable declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm if it is determined that the access permission information satisfies a preset authorization condition;
a first generation module that generates a verifiable claim based on the first digital identity information, the second digital identity information, the access rights information, and the claim identification;
the storage module is used for calculating the hash value of the verifiable statement according to a second preset algorithm; associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement; storing the first record information into a block chain;
a sending module, configured to send the verifiable statement to the first terminal device, so that the first terminal device sends the verifiable statement to a second terminal device of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration;
the receiving module is also used for receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
an obtaining module that obtains the verifiable claims;
the verification module verifies the access authority information to be verified based on the first record information saved by the blockchain and the obtained verifiable statement;
the sending module further sends a verification result to the third terminal device, so that the third terminal device determines whether to allow the user to be authorized to access the resource according to the verification result.
14. The apparatus of claim 13, the apparatus further comprising: a change module;
the receiving module is also used for receiving the permission change request sent by the first terminal equipment; the permission changing request is used for requesting to change the access permission of the resource granted to the user to be authorized; the permission change request comprises access permission information to be changed;
the changing module is used for carrying out access authority changing processing according to the access authority information to be changed if the access authority information to be changed is determined to meet the preset authorization condition;
and the sending module is used for sending the permission change result to the first terminal equipment.
15. A resource access device, comprising:
a processor; and the number of the first and second groups,
a memory arranged to store computer executable instructions that, when executed, cause the processor to:
receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
if the access authority information is determined to meet the preset authorization condition, generating a declaration identification capable of verifying a declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm;
generating a verifiable statement according to the first digital identity information, the second digital identity information, the access authority information and the statement identification;
calculating a hash value of the verifiable statement according to a second preset algorithm; associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement; storing the first record information into a block chain;
sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to second terminal equipment of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration; and the number of the first and second groups,
receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
acquiring the verifiable statement, and verifying the access authority information to be verified based on the first record information saved by the block chain and the acquired verifiable statement;
and sending a verification result to the third terminal equipment so that the third terminal equipment determines whether to allow the user to be authorized to access the resource according to the verification result.
16. A storage medium storing computer-executable instructions that when executed implement the following:
receiving an authorization request sent by a first terminal device of a holding user of a resource; the authorization request is used for requesting to grant the access right of the resource for the user to be authorized; the authorization request comprises first digital identity information of the resource, second digital identity information of the user to be authorized and access authority information to be granted;
if the access authority information is determined to meet the preset authorization condition, generating a declaration identification capable of verifying a declaration based on the first digital identity information and the second digital identity information according to a first preset algorithm;
generating a verifiable statement according to the first digital identity information, the second digital identity information, the access authority information and the statement identification;
calculating a hash value of the verifiable statement according to a second preset algorithm; associating the statement identification, the hash value and a validity field representing that the verifiable statement is in a valid state with a record, and determining the recorded information as first record information of the verifiable statement; storing the first record information into a block chain;
sending the verifiable statement to the first terminal equipment so that the first terminal equipment sends the verifiable statement to second terminal equipment of the user to be authorized; or sending the verifiable declaration to a verifiable declaration hosting platform of the user to be authorized, so that the hosting platform proxies the user to be authorized to save the verifiable declaration; and the number of the first and second groups,
receiving an authentication request sent by a third terminal device where the resource is located; the authentication request is sent by the third terminal device based on the access request of the user to be authorized to the resource; the authentication request comprises access authority information to be verified;
acquiring the verifiable statement, and verifying the access authority information to be verified based on the first record information saved by the block chain and the acquired verifiable statement;
and sending a verification result to the third terminal equipment so that the third terminal equipment determines whether to allow the user to be authorized to access the resource according to the verification result.
CN202010140438.5A 2020-03-03 2020-03-03 Resource access method, device and equipment Active CN110990804B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202010752958.1A CN111680274B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment
CN202010140438.5A CN110990804B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010140438.5A CN110990804B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment

Related Child Applications (1)

Application Number Title Priority Date Filing Date
CN202010752958.1A Division CN111680274B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment

Publications (2)

Publication Number Publication Date
CN110990804A CN110990804A (en) 2020-04-10
CN110990804B true CN110990804B (en) 2020-08-14

Family

ID=70081298

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010752958.1A Active CN111680274B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment
CN202010140438.5A Active CN110990804B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010752958.1A Active CN111680274B (en) 2020-03-03 2020-03-03 Resource access method, device and equipment

Country Status (1)

Country Link
CN (2) CN111680274B (en)

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431936B (en) * 2020-04-17 2021-09-21 支付宝(杭州)信息技术有限公司 Authorization processing method, device, equipment, system and storage medium based on verifiable statement
CN111881472B (en) * 2020-07-22 2024-04-26 云账户技术(天津)有限公司 Data access control method, system, authority management system and medium
CN111737368B (en) 2020-07-24 2020-12-18 支付宝(杭州)信息技术有限公司 Data processing method, device, equipment and medium
CN111680305B (en) * 2020-07-31 2023-04-18 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment based on block chain
CN111901359B (en) * 2020-08-07 2023-01-31 广州运通链达金服科技有限公司 Resource account authorization method, device, system, computer equipment and medium
CN111818094B (en) 2020-08-28 2021-01-05 支付宝(杭州)信息技术有限公司 Identity registration method, device and equipment
CN111815420B (en) 2020-08-28 2021-07-06 支付宝(杭州)信息技术有限公司 Matching method, device and equipment based on trusted asset data
CN111741036B (en) * 2020-08-28 2020-12-18 支付宝(杭州)信息技术有限公司 Trusted data transmission method, device and equipment
CN111814172A (en) 2020-08-28 2020-10-23 支付宝(杭州)信息技术有限公司 Method, device and equipment for acquiring data authorization information
CN113434849A (en) 2020-09-04 2021-09-24 支付宝(杭州)信息技术有限公司 Data management method, device and equipment based on trusted hardware
CN111814156B (en) 2020-09-04 2022-04-29 支付宝(杭州)信息技术有限公司 Data acquisition method, device and equipment based on trusted equipment
CN111814196B (en) 2020-09-04 2021-01-05 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment
CN111931238B (en) 2020-09-15 2021-05-04 支付宝(杭州)信息技术有限公司 Block chain-based data asset transfer method, device and equipment
CN113012008B (en) 2020-09-15 2022-06-03 支付宝(杭州)信息技术有限公司 Identity management method, device and equipment based on trusted hardware
CN111930846B (en) 2020-09-15 2021-02-23 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment
CN112163009A (en) * 2020-09-30 2021-01-01 平安普惠企业管理有限公司 User side data acquisition method and device, electronic equipment and storage medium
CN113010870B (en) * 2020-10-10 2024-07-05 支付宝(杭州)信息技术有限公司 Service processing method, device and equipment based on digital certificate
CN112184194A (en) * 2020-11-02 2021-01-05 立旃(上海)科技有限公司 Resource authorization method and device based on block chain
CN112560066A (en) * 2020-12-24 2021-03-26 航天科工网络信息发展有限公司 Data content access authority control method based on character string bit operation
CN112733121B (en) * 2021-01-13 2024-09-20 京东科技信息技术有限公司 Data acquisition method, device, equipment and storage medium
CN113541965B (en) * 2021-01-27 2024-04-09 支付宝(杭州)信息技术有限公司 Communication authorization method, device, equipment and storage medium based on blockchain
CN113162762B (en) * 2021-04-16 2022-07-19 北京深思数盾科技股份有限公司 Key authorization method, encryption machine, terminal and storage medium
CN113221142A (en) * 2021-05-11 2021-08-06 支付宝(杭州)信息技术有限公司 Authorization service processing method, device, equipment and system
CN113452704B (en) * 2021-06-28 2022-08-09 湖南天河国云科技有限公司 Distributed identity identification-based credible interconnection method and device for heterogeneous industrial equipment
CN115037484B (en) * 2022-08-10 2022-11-01 捷德(中国)科技有限公司 Digital collection receiving method and device and electronic equipment
CN115913772B (en) * 2022-12-20 2024-06-04 四川启睿克科技有限公司 Intelligent home equipment safety protection system and method based on zero trust
CN115664865B (en) * 2022-12-27 2023-05-12 深圳巨隆基科技有限公司 Verification data transmission method, system, computer equipment and storage medium

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8201214B1 (en) * 2005-09-30 2012-06-12 Apple Inc. Ad-hoc user account creation
US20170364936A1 (en) * 2016-06-15 2017-12-21 CouponCo Ltd. Computer-implemented electronic coupon system and methods using a blockchain
US11227675B2 (en) * 2016-08-23 2022-01-18 BBM Health LLC Blockchain-based mechanisms for secure health information resource exchange
CN106973036B (en) * 2017-02-07 2020-04-14 杭州云象网络技术有限公司 Block chain privacy protection method based on asymmetric encryption
CN108810006B (en) * 2018-06-25 2021-08-10 百度在线网络技术(北京)有限公司 Resource access method, device, equipment and storage medium
CN109600366A (en) * 2018-12-06 2019-04-09 中链科技有限公司 The method and device of protection user data privacy based on block chain
CN110069908A (en) * 2019-04-11 2019-07-30 深圳前海微众银行股份有限公司 A kind of authority control method and device of block chain
CN110636043A (en) * 2019-08-16 2019-12-31 中国人民银行数字货币研究所 File authorization access method, device and system based on block chain
CN115396114A (en) * 2019-10-11 2022-11-25 支付宝(杭州)信息技术有限公司 Authorization method, device, equipment and system based on verifiable statement
CN110795501A (en) * 2019-10-11 2020-02-14 支付宝(杭州)信息技术有限公司 Method, device, equipment and system for creating verifiable statement based on block chain

Also Published As

Publication number Publication date
CN110990804A (en) 2020-04-10
CN111680274A (en) 2020-09-18
CN111680274B (en) 2022-11-22

Similar Documents

Publication Publication Date Title
CN110990804B (en) Resource access method, device and equipment
CN111431936B (en) Authorization processing method, device, equipment, system and storage medium based on verifiable statement
CN107426169B (en) Service processing method and device based on permission
CN109614823B (en) Data processing method, device and equipment
CN112671769B (en) Electronic contract signing method, device and equipment
CN107370730B (en) Login information processing method and equipment
CN112581131B (en) Asset transfer method, device, equipment and system
CN111311251B (en) Binding processing method, device and equipment
CN111008841B (en) Service processing system, service processing method, device and equipment
CN111191268A (en) Storage method, device and equipment capable of verifying statement
CN111724170A (en) Service processing system, service processing method, device and equipment
CN110781192B (en) Verification method, device and equipment of block chain data
CN110933117B (en) Derivation and verification method, device and equipment of digital identity information
CN111400681B (en) Data authority processing method, device and equipment
CN113221142A (en) Authorization service processing method, device, equipment and system
CN110334160A (en) Relationship binding method, device and equipment based on block chain
CN113282628A (en) Big data platform access method and device, big data platform and electronic equipment
CN117494178A (en) Function access method, device and storage medium
CN112100610B (en) Processing method, device and equipment for login and user login related services
CN113946260A (en) Data processing method, device and equipment
CN111967764A (en) Service access verification method and device and electronic equipment
CN111784550B (en) Method, device and equipment for processing inherited service
CN112231757B (en) Privacy protection method, device and equipment for embedded application
CN112861187A (en) Data processing method and device based on block chain
CN111967846A (en) Service access verification method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40026943

Country of ref document: HK

TR01 Transfer of patent right

Effective date of registration: 20240920

Address after: Room 803, floor 8, No. 618 Wai Road, Huangpu District, Shanghai 200010

Patentee after: Ant blockchain Technology (Shanghai) Co.,Ltd.

Country or region after: China

Address before: 310000 801-11 section B, 8th floor, 556 Xixi Road, Xihu District, Hangzhou City, Zhejiang Province

Patentee before: Alipay (Hangzhou) Information Technology Co.,Ltd.

Country or region before: China

TR01 Transfer of patent right